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Software  Protection  Initiative  (SPI) 


•  Goal:  Protect  critical  DoD  application  software  (running  on 
general  purpose  computers)  from  piracy  and  exploitation 

•  Lead:  DUSD(S&T) 

-  Office  of  Primary  Responsibility  (OPR):  AFRL  AT-SPI 
Technology  Office 


Scientific  & 
Engineering/Modeling 
&  Simulation  Software 


Mission  Support 
Software 


Enterprise  Software 
containing  critical 
personnel,  pay,  or 
medical  information 


Mission 

Anti-Tamper  Software  Protection  Office 


•To  deter  the  reverse 
engineering  (RE)  and 
exploitation  of  our 
mi  itary’s  critical 
technology . 

•  AC130U 

-  -609,000  source  lines  of  code 
(SLOC) 

•  F-22 

-  ~2  million  SLOC 

•  JSF 

- 19  million  SLOC 
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Cutting  the  pilot  out  of  the  locked  cockpit  of  an  F-22. 


Reverse  Engineering 


0000015A  S33E0O 
000O015D  0F3412FFFFFF 
000O0163  S3C604 
000O0166  S13E20646147 
000O016C  7419 
000O016E  3906 
00000170  740A 
00000172  391E 
000O0174  0F34FEFEFFFF 
000O017A  EEE7 


cup  dword  ptr  [esi],  OOOOOOOO 

je  00000O75 

add  esi,  O00O0004 

cup  dword  ptr  [esi],  47616420 

je  00000137 

cmp  duord  ptr  [esi],  eax 
je  0O00017C 

cmp  duord  ptr  [esi],  ebx 
je  00000O75 
jmp  0000O163 
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Intellectual  Property 
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Commercial  Piracy 


•  Business  Software  Alliance 
(BSA)  -  2006  Global 
Software  Piracy  Study 

-  35%  of  software  installed 
worldwide  illegal 

-  $34  billion  in  pirated  software 

•  Commercial  companies 
seek  to  limit  initial 
piracy/reverse  engineering 
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Commercial  Piracy 

Consumer  Education 


Garret  the  Ferret 
-Copyright  Crusader 


Source:  http://www.playitcybersafe.com/pdfs/Curriculum-CC-2005.pdf 


RE  Threat 


•  Access 

•  Analysis 

•  Understanding 
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Tools  of  the  Trade 
Static  Analysis 


•  Decompilers 

-  Boomerang 

-  IDAPro  beta  plugin 


•  Disassemblers 

-  IDAPro 


;  Attributes: 

library  function 

;  char  * _ cdecl  strcpy(char  *dst, const  char  *src) 

strcpy 

proc  near  ;  CODE  KREF :  sub  4042AI 

;  sub_4B42AF+AAtp  ... 

dst 

=  dword  ptr  8 

src 

=  duord  ptr  OCh 

push  edi 

moo  edi,  [esp+dst] 

jmp  short  loc_43A511 

strcpy 

endp 

Tools  of  the  Trade 
Dynamic  Analysis 


•  Debuggers 

-  Ollydbg 

-  WinDbg 

-  VAMPiRE 

-  Hardware  ICE 


•  Emulators 

-  Bochs 

-  Custom  Virtualizers 


Software  Protection 
Techniques 


Hardware  Storage/Processing 

Obfuscation 

Anti-debugging 

Encryption 

Checksums 
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Obfuscation 


Software  Anti-Tamper  (AT) 


•  Two  major  types  in  industry 

-  Encryption  wrappers 

-  Integrated  protections 


Source:  http://www.slane.co.nz/cartoons.html 


Source:  www.6seconds.org/anabel/map.html 


Protections:  Why  they  Fail 


Causes  problems  for  the  end  user 
Negatively  impacts  performance 
Opens  security  holes 
Tedious  to  apply 
Easily  broken 


-BORE  attacks 


Starforce 

Case  Study 


•  $5  Million  dollar  lawsuit  claiming  software  DRM 
was  insecure 

•  Users  claimed  StarForce  causes  computer 
instability  and  crashes 


Ubisoft  officially  dumps  Starforce 

Citing  "complaints,"  the  publisher  ends  its  relationship  with 
the  copyright-protection  provider. 

By  Tor  Thorser ,  Games  pot 

Posted  Apr  13,  2006  5:56  pm  PT 


Following  several  days  of  rumors,  Ubisoft  has  officially  confirmed  that  it  will 
no  longer  use  the  controversial  digital-rights  software  from  Starforce. 


Source:  http://www.gamespot.com/news/61 47655.html 


Sony  XCP 

Case  Study 


•  Sony  BMG  music  CDs  shipped  with  copy 
protection  scheme 

•  Protection  installs  system  driver  that  hides  any  file 
or  process  that  begins  with  $sys$ 

•  Protection  device  driver  left  system  open  to 
privilege  escalation  attack 


A  ACS 

Case  Study 


Advanced  Access  Content 
System 

-  Copy  protection 

-  Modification/Decryption 
protection 

-  Renewability  and  revocation 

Encryption  only  protects  data 
at  rest 

-  Code  (e.g.,  keys)  visible  upon 
execution 
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XProtector 

Case  Study 


•  Software  protection  focused 
on  kernel  mode  driver 

•  Discontinued  due  to 
repeated  published  breaks 

•  Updated  product  renamed  as 
Themida 

•  Protection  transitioned  from 
kernel  module  to  Virtual 
Machine 


Ideal  Software  Protection 


•  High  level  of  security  against  best 
attackers 

•  Low  performance  impact 

•  Resistant  to  repeat/automated  attacks 

•  Protects  against  all  forms  of  runtime 
analysis 

•  Securely  locks  to  hardware 

•  Easy  to  apply 


Protection  Process 
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Metrics 


•  Difficult  questions 

-  How  much  protection  is  enough? 

-  How  long  will  it  last? 

•  Determining  metrics 

-  Blackhat  assessments 

-  Red  teams 

-  Markets 

-  Formal  modeling 


Sample  of  Protection 

Vendors 


•  Arxan 

-  http://www.arxan.com/solutions.html 

•  Pikewerks 

-  http://www.pikewerks.com/research.htm 


•  Cloakware 

-  http://www.cloakware.com/products_services/security_suite/ 

•  Luna 

-  http://www.lunainnovations.com/research/secure.htm 


Conclusion 


•  Software  Protection  (AT)  is  still  very  much  in  its 
infancy 

•  Significant  research  into  formalizing  protection 
techniques  and  assessment  metrics 

•  Autonomous  and  dynamic/polymorphic 
protections  will  improve  and  become  more 
prevalent 

•  Increased  support  from  hardware  (e.g.,  TPM) 
and  software  (e.g.,  Microsoft)  vendors  for 
secure  systems 


Questions? 


Capt  David  Chaboya 
Air  Force  Research  Labs 
Anti-Tamper  and  Software  Protection 
Initiative  (AT-SPI)  Technology  Office 
Email:  david.chabova@wpafb.af.mil 
Phone:  937-320-9068 


Acronyms 


•  AACS  -  Advanced  Access  Content  System 

•  AFRL  -  Air  Force  Research  Labs 

•  AT  -  Anti  Tamper 

•  BORE  -  Break  Once  Run  Everywhere 

•  DRM  -  Digital  Rights  Management 

•  DUSD(S&T)  -  Deputy  Undersecretary  of  Defense  (Science  and 
Technology) 

•  OPR  -  Office  of  Primary  Responsibility 

•  RE  -  Reverse  Engineering 

•  SLOC  -  Source  Lines  of  Code 

•  SPI  -  Software  Protection  Initiative 

•  TPM  -  Trusted  Platform  Module 


